Audit RDP Port Change Event

Steps to Audit RDP Port Change (Registry):

Enable Audit Policy

  • Open Local Security Policy:

    • Press Win + R, type secpol.msc, and press Enter.

  • Navigate to:

  • Double-click Audit Registry.

  • Check Success and/or Failure depending on what you want to track.

  • Click ApplyOK.

Security Settings → Advanced Audit Policy Configuration → Object Access

1. Enable GPO Audit Settings:

  • Open gpedit.msc (or use GPMC for domain).

  • Go to: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access

  • Enable:

    • Audit Registry → Success and Failure

2. Set auditing on the specific registry key:

  • Open regedit.

  • Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber

  • Right-click PortNumber → Permissions → Advanced → Auditing tab → Add:

    • Choose Principal (e.g., Everyone or Authenticated Users)

    • Choose Success for Set Value and Write

3. Check Event Viewer:

  • Go to Security logs.

  • Look for Event ID 4657 (A registry value was modified).

  • It will show:

    • Who made the change (user ID)

    • What key was changed

    • Original and new values

gpupdate /force

PreviousEnabling the System Event Audit LogNextCheck the read/write speed of your hard drive

Last updated

Was this helpful?